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“In  the  very  near  future,  many  conflicts  will  not  take  place  on  the  open  field  of 
battle,  but  rather  in  spaces  on  the  Internet,  fought  with  the  aid  of  infonnation 
soldiers  ....  This  means  that  a  small  force  of  hackers  is  stronger  than  the  multi¬ 
thousand  force  of  the  current  armed  forces.” 

-  Former  Duma  member  Nikolai  Kuryanovich1 


On  19  July  2008  an  Internet  security  firm  reported  a  distributed  denial 
of  service  (DDoS)  cyber  attack  against  Web  sites  in  the  country  of 
Georgia.2  Three  weeks  later,  on  8  August,  security  experts  observed  a 
second,  more  substantial  round  of  DDoS  attacks  against  Georgian  Web  sites. 
Analysts  noted  that  these  additional  DDoS  attacks  appeared  to  coincide 
with  the  movement  of  Russian  troops  into  South  Ossetia  in  response  to 
Georgian  military  operations  launched  a  day  earlier  in  the  region.  By  10 
August  the  DDoS  attacks  had  rendered  most  Georgian  governmental  Web 
sites  inoperative.3 

As  a  result  of  these  attacks,  the  Georgian  government  found  itself 
cyber-locked,  barely  able  to  communicate  on  the  Internet.  In  response,  the 
government  took  the  unorthodox  step  of  seeking  cyber  refuge  in  the  United 
States.  Without  first  obtaining  US  government  approval,  Georgia  relocated 
critical  official  Internet  assets  to  the  United  States,  Estonia,  and  Poland.4 

Georgian-Russian  hostilities  in  South  Ossetia  have  generated  a 
substantial  amount  of  analysis  and  speculation  regarding  the  accompanying 
cyber  conflict.5  Most  of  the  focus  has  centered  on  identifying  the  parties 
who  conducted  the  cyber  attacks.  The  Georgian  cyber  event  provides  an 
intriguing  opportunity  to  examine  a  more  subtle  and  perhaps  overlooked 
aspect  of  cyber  conflict — the  concept  of  cyber  neutrality.  The  Georgian  case 
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raises  two  fundamental  questions:  (1)  How  did  the  combined  actions  of 
the  Georgian  government  and  US  information  technology  (IT)  companies 
impact  American  status  as  a  cyber  neutral?  (2)  Can  the  United  States  remain 
neutral  (or  cyber  neutral)  during  a  cyber  conflict? 

The  underlying  implications  of  the  overall  issue  should  be  of  great 
concern  to  US  policymakers  and  strategists.  Even  if  the  United  States  is 
not  a  belligerent  in  a  cyber  conflict,  incursions  against  the  US  Internet 
infrastructure  are  likely.  Private  industry  owns  and  operates  the  majority 
of  the  Internet  system.  During  a  cyber  conflict,  the  unregulated  actions 
of  third-party  actors  have  the  potential  of  unintentionally  impacting  US 
cyber  policy,  including  cyber  neutrality.  There  is  little,  if  any,  modern  legal 
precedent.  The  fact  that  American  IT  companies  provided  assistance  to 
Georgia,  a  cyber  belligerent,  apparently  without  the  knowledge  or  approval 
of  the  US  government,  illustrates  what  is  likely  to  become  a  significant 
policy  issue.  Although  nations  still  bear  ultimate  responsibility  for  the 
acts  of  their  citizens,  applying  that  dictum  to  the  modern  realities  of  cyber 
conflict  is  a  complex  challenge.  Georgia’s  unconventional  response  to  the 
August  2008  DDoS  attacks,  supported  by  US  private  industry,  adds  a  new 
element  of  complication  for  cyber  strategists. 

Cyber  Neutrality:  A  Basic  Rubric 

In  the  United  States,  the  executive  branch  can  choose  to  follow  a 
neutrality  policy  as  a  matter  of  its  constitutional  authority  regarding  foreign 
relations.  In  1908,  Woodrow  Wilson,  then  president  of  Princeton  University, 
posited,  “One  of  the  greatest  of  the  President’s  powers  I  have  not  yet  spoken 
of  at  all:  his  control,  which  is  very  absolute,  of  the  foreign  relations  of  the 
nation.”6  At  the  beginning  of  World  War  I,  President  Wilson  declared  the 
United  States  a  neutral  nation,  yet  American  banks  provided  loans  to  Britain 
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and  France,  and  American  industry  sold  armaments  to  those  nations.  The 
German  government  eventually  responded  by  waging  submarine  warfare  and 
maritime  commerce  raiding  against  the  United  States.  Wilson’s  neutrality 
stance  was  more  rhetorical  than  real,  in  that  he  did  not  exercise  executive 
authority  to  halt  US  loans  and  arms  shipments  to  belligerents.  More  than 
half  a  century  later,  Supreme  Court  Justice  William  O.  Douglas  would  pen 
sentiments  similar  to  Wilson’s:  “My  view  of  foreign  affairs  is  that  Congress 
has  the  power  to  declare  war,  and  that  all  diplomacy  short  of  that  is  under 
the  guidance  of  the  President.”7 

Although  the  executive  branch  is  preeminent  in  foreign  policy, 
Congress  retains  the  authority  to  regulate  foreign  commerce,  and  the  Senate 
must  consent  before  any  treaty  may  obligate  the  United  States.  In  the  early 
twentieth  century,  the  Supreme  Court  determined  that  neither  individual 
states  nor  private  corporations  possess  the  authority  to  act  contrary  to  a 
treaty.  If  the  US  government  establishes  a  strict  position  of  neutrality, 
American  industry  may  provide  nonmilitary  and  humanitarian  support  to  a 
belligerent,  but  firms  are  required  to  halt  all  commerce  that  militarily  aids  a 
combatant.8  When  a  corporation  violates  this  prohibition,  it  may  be  subject 
to  criminal  sanctions. 

For  the  purposes  of  this  article,  cyber  neutrality  stems  from  the  Hague 
(V)  Conventions  of  1907,  which  require  combatant  nations  to  recognize 
the  rights  of  neutrals.9  Neutrality  law  affords  nations  the  right  to  maintain 
relations  with  all  belligerents;  however,  neutral  countries  are  expected 
to  refrain  from  assisting  either  side  in  a  conflict,  other  than  to  effectuate 
peace.  Nations  that  declare  themselves  to  be  neutral,  and  act  accordingly, 
are  entitled  to  immunity  from  attack.  The  Hague  Conventions  also  dictate 
that  the  territory  of  a  neutral  nation  is  inviolable.  Belligerents  may  not 
move  forces,  weapons,  or  war  materiel  across  a  neutral  country’s  territory, 
or  conduct  hostilities  within  a  neutral’s  territory,  waters,  or  airspace.  A 
neutral  nation  jeopardizes  its  status  if  it  permits  belligerents  to  engage  in 
such  violations.  In  a  1917  decision,  the  US  Supreme  Court  cemented  this 
framework  into  American  jurisprudence.10 

Cyber  neutrality,  therefore,  is  the  right  of  any  nation  to  maintain 
relations  with  all  parties  engaged  in  a  cyber  conflict.  Under  a  traditional 
international  law  rubric,  to  remain  neutral  in  a  cyber  conflict  a  nation  cannot 
originate  a  cyber  attack,  and  it  also  has  to  take  action  to  prevent  a  cyber 
attack  from  transiting  its  Internet  nodes.11  These  stipulations  may  be  difficult 
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to  implement  in  the  United  States,  where  the  constitutional  framework 
emphasizes  the  right  of  free  speech.  Nonetheless,  if  a  neutral  nation  takes 
no  action  against  parties  that  violate  its  territory,  it  risks  losing  its  cyber 
neutral  status. 

As  an  emerging  form  of  conflict,  cyber  war  and  cyber  neutrality  are 
not  explicitly  addressed  under  current  international  law.12  The  international 
community  remains  unsettled  on  whether  cyber  techniques  such  as  DDoS 
are  legally  considered  “weapons,”13  and  whether  cyber  attacks  can  be 
considered  legitimate  acts  of  “armed”  conflict.14  Malicious  software,  or 
malware,  is  not  considered  an  “arm”  of  war,  yet  the  effects  of  cyber  attacks 
can  potentially  be  equal  to  kinetic  attacks.  Arguably,  a  cyber  attack  that 
causes  physical  damage  might  constitute  an  “armed  attack”  under  the  United 
Nations  Charter.15  In  fact,  the  International  Telecommunication  Union  (ITU) 
posits  that  cyber  attacks  “could  in  theory  be  treated  as  acts  of  war  and  be 
brought  within  the  scope  of  arms  control  or  the  laws  of  armed  conflict.”16 

Proponents  who  view  malware  as  weapons  argue  that  cyber  attacks 
effectively  transmit  an  actual  weapon  across  the  Internet.17  For  example,  in 
issuing  National  Security  Directive  16,  President  George  W.  Bush  ordered 
the  development  of  guidelines  to  regulate  the  use  of  “cyber  weapons  in 
war.”18  A  2005  ITU  report  states  that  “cyber-weapons  are  easily  copied  and 
distributed  on  the  Internet.”19  A  2006  Defense  Science  Board  report  identifies 
the  US  military  network  as  “a  critical  weapon  system.”20  A  2006  Harvard 
International  Review  article  labels  cyber  threats  as  “a  new  weapon.”21  In 
January  2007,  the  United  States  Patent  and  Trademark  Office  issued  a 
patent  for  “the  public  network  weapons  system,”  effectively  recognizing 
the  Internet  protocol  (IP)  as  a  weapon  system  component.22  During  the  April 
2007  Estonian  cyber  event,  the  Estonian  Defense  Minister  contemplated 
invoking  Article  5  of  the  North  Atlantic  Treaty,  which  considers  an  “aimed 
attack”  against  any  North  Atlantic  Treaty  Organization  (NATO)  member  to 
be  an  attack  against  all  members.23  In  April  2007  testimony  before  the  US 
Congress,  the  president  of  the  Professionals  for  Cyber  Defense  stated  that 
“cyber  attack  weapon(s)  .  .  .  may  well  be  deployed  already.”24 

Conversely,  skeptics  stress  that  few  international  legal  precedents 
recognize  cyber  weapons  and  point  to  the  Law  of  Anned  Conflict  as  being 
unclear  with  respect  to  cyber  attacks.25  There  is  a  basis  for  this  view.  The 
2001  Council  of  Europe  Convention  on  Cybercrime  (COE  Convention),  to 
which  the  United  States  is  a  party,  omits  any  reference  to  the  terms  “cyber 
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attack”  or  “cyber  weapons.”26  A  gun,  universally  recognized  as  a  weapon, 
can  be  used  to  commit  a  crime.  The  COE  does  not  extend  this  weapon 
analogy  to  cyber  tools.  Instead,  the  COE  Convention  considers  as  criminal 
acts  “damaging,  deleting,  deteriorating,  altering,  or  suppressing  computer 
data.”27  In  2005,  the  US  Air  Force  Judge  Advocate  General  published  a 
memorandum  stating  “the  network  is  not  a  weapon  system.”28  NATO 
defense  ministers  declined  to  declare  the  2007  Estonia  cyber  event  as  an 
attack  requiring  military  action.29  In  June  2008,  James  Lewis  of  the  Center 
for  Strategic  and  International  Studies  stated  that  DDoS  attacks  are  “more 
commonly  used  for  illicit  activities  like  committing  online  fraud  than  for 
cyber  war.”30  Kevin  Poulsen,  an  infamous  reformed  hacker  and  cyber  security 
consultant,  observed  in  August  2008  that  “there  are  good  reasons  to  reject 
the  idea  that  timeout  errors  (DDoS)  are  an  act  of  war.”31  In  short,  until  the 
haze  regarding  the  nature  of  cyber  attacks  is  dispersed,  many  observers  in  the 
legal  and  technical  communities  continue  to  view  DDoS  events  as  matters 
for  the  criminal  justice  system,  not  the  national  defense  system,  to  resolve. 

Although  the  debate  over  cyber  conflict  remains  active,  the  inter¬ 
national  law  community  does  appear  to  be  coalescing  around  the  general 
concept  that  use  of  the  Internet  to  conduct  cross-border  cyber  attacks  violates 
the  principle  of  neutrality.  Legal  scholar  Davis  Brown  notes:  “When  an 
information  packet  containing  malicious  code  travels  through  computer 
systems  under  the  jurisdiction  of  a  neutral  nation,  a  strict  construction  of  the 
law  of  neutrality  would  result  in  that  nation’s  neutrality  being  violated.”32 
Lawrence  Greenberg  emphasizes:  “Abelligerent  violates  neutrality  law  when 
it  launches  a  cyber  attack  that  crosses  the  Internet  nodes  of  a  neutral  state.”33 
Jeffrey  Kelsey  further  argues:  “The  text  of  the  1907  Hague  Convention 
(V)  .  .  .  support(s)  the  view  that  cyber  attacks  crossing  the  Internet  nodes 
of  neutral  states  violate  international  humanitarian  law.”34  Even  with  this 
growing  body  of  thought,  the  challenge  for  US  cyber  strategists  is  how  to 
plan,  with  little  prior  experience,  for  increased  cyber  incursions  that  will 
undoubtedly  bring  American  cyber  neutrality  into  question. 

Consequences  for  US  Cyber  Neutrality 

On  19  July  2008  unknown  parties  used  a  computer  located  at  a 
United  States  “.com”  IP  address35  to  command  and  control  (C2)  a  DDoS 
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attack  against  the  Web  site  of  Georgia’s  President,  Mikheil  Saakashvili.36 
The  DDoS  attack  overwhelmed  the  Georgian  Web  site.  Although  unable 
to  pinpoint  the  party  that  seized  the  US  computer,  experts  were  able  to 
identify  the  software  as  a  “MachBot”  DDoS  controller  written  in  Russian 
and  frequently  used  by  Russian  hackers.  Therefore,  analysts  speculated  the 
attack  had  ties  to  Russia.37 

The  COE  Convention,  in  Article  4  (data  interference)  and  Article 
5  (system  interference),  characterizes  this  type  of  attack  as  cyber  crime, 
not  cyber  war.  As  such,  the  US  Department  of  Justice  (DOJ)  might  have 
pursued  criminal  action.  Prior  examples  exist,  as  the  DOJ  has  successfully 
prosecuted  several  criminal  cases  during  the  past  two  years  involving  DDoS 
attacks.38  From  the  COE  Convention’s  perspective,  an  investigation  by 
Interpol,  rather  than  NATO,  would  have  been  the  proper  response  to  both 
the  Estonian  (April  2007)  and  Georgian  (July  2008)  DDoS  attacks.  The 
Assistant  Director  of  the  US  Federal  Bureau  of  Investigation’s  (FBI)  Cyber 
Division  recently  confirmed  this  view  when  he  stated  that  the  FBI  is  “seeing 
an  increase  in  the  use  of  botnets  ...  to  commit  cybercrime.”39  The  result  has 
been  a  growing  body  of  cybercrime  law,  yielding  additional  clarity  for  law 
enforcement  agencies  and  prosecutors.  This  same  level  of  clarity  is  lacking 
when  the  nature  of  a  cyber  event  changes  from  cyber  crime  to  apparent 
cyber  war. 

On  8  August  cyber  security  experts  observed  a  second,  much  larger 
wave  of  DDoS  attacks  against  Georgian  Web  sites.  The  experts  speculated 
that  these  attacks  were  associated  with  Russia’s  movement  of  military  forces 
into  South  Ossetia.  Some  analysts  even  declared  this  incident  was  the  first 
time  a  cyber  attack  had  coincided  with  a  conventional  shooting  war.40  Others 
characterized  the  Georgian  cyber  incident  as  “the  birth  of  true,  operational 
cyber  warfare”  and  “the  most  significant  development  ever  seen  in  . . .  cyber 
conflict  studies.”41  The  DDoS  attack  spread  to  computers  throughout  the 
Georgian  government.42  The  Georgian  Foreign  Ministry  blamed  Russia  for 
the  attacks.43  Others  pointed  to  the  Russian  Business  Network,  a  criminal 
syndicate  suspected  of  being  under  direct  Russian  government  influence.44 
Conversely,  an  Internet  journalist  accessed  a  Web  site  and  downloaded 
prepackaged  software  that  would  have  enabled  him,  had  he  chosen  to  do  so, 
to  join  in  the  attacks.  His  assessment: 
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In  less  than  an  hour,  I  had  become  an  Internet  soldier.  I  didn’t  receive  any  calls 
from  Kremlin  operatives  ....  Paranoid  that  the  Kremlin’s  hand  is  everywhere, 
we  risk  underestimating  the  great  patriotic  rage  of  many  ordinary  Russians,  who 
. . .  undoubtedly  went  online  to  learn  how  to  make  mischief,  as  I  did.  Within  an 
hour,  they,  too,  could  become  cyber  warriors.45 

Project  Grey  Goose,  an  organization  of  100  volunteer  US  security 
experts  from  government  and  the  private  sector,  conducted  a  comprehensive 
investigation  into  the  cyber  attacks.  Grey  Goose  investigator  Jeff  Carr 
stressed  that  “the  level  of  advance  preparation  and  reconnaissance  strongly 
suggests  that  Russian  hackers  were  primed  for  the  assault  by  officials  within 
the  Russian  government.”46  While  Grey  Goose  members  did  not  find  a  direct 
link  between  Russian  government  officials  and  the  hackers,  they  claim  it  is 
unreasonable  to  assume  that  no  such  connection  existed. 

Most  cyber  security  experts  have  generally  concluded  that  an  amalgam 
of  government-incentivized  agents,  hackers,  and  cyber-citizen  protestors 
carried  out  the  2008  DDoS  attacks.47  Gadi  Evron,  former  head  of  cyber 
security  for  the  Israeli  government,  stated,  “This  is  not  warfare,  but  just 
some  unaffiliated  attacks  by  Russian  hackers.”48  Arbor  Networks,  a  well- 
respected  security  firm,  “found  no  evidence”  of  government-sponsored 
cyber  warfare.49  Experts  at  cyber  security  firm  Shadowserver  indicated 
“it  would  appear  that  these  cyber  attacks  have  certainly  moved  into  the 
hands  of  the  average  computer-using  citizen.”50  Bobbie  Johnson  of  The 
Guardian  commented  that  “many  of  these  strikes  seem  to  be  cases  of  so- 
called  ‘hacktivism’ ...  (a)  collective  grassroots  movement — a  sort  of ‘click 
for  victory’  campaign.”51  Although  there  are  other  competing  classified 
intelligence  views,  they  are  beyond  the  scope  of  this  article. 

While  a  great  deal  of  effort  has  been  applied  to  identifying  the 
parties  that  conducted  the  cyber  attacks  against  Georgia,  perhaps  of  greater 
importance  to  US  policymakers  is  the  Georgian  government’s  innovative 
reaction.  This  element  of  the  Georgia-Russia  cyber  conflict  has  received 
less  attention,  yet  potentially  does  have  significant  implications  for  US 
cyber  policy.  If  the  responsibilities  of  nations  are  somewhat  unclear  during 
cyber  conflict,  they  are  even  more  ambiguous  when  a  belligerent  takes  cyber 
refuge  in  a  neutral  country’s  territory. 

Tulip  Systems  (TSHost)  is  a  private  Web  hosting  company  in  Atlanta, 
Georgia.  On  8  August  2008,  while  in  the  nation  of  Georgia,  the  owner  of 
TSHost  apparently  contacted  Georgian  government  officials  and  offered 
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assistance  in  reconstituting  Georgian  Internet  capabilities.52  A  day  later 
the  Georgian  government  transferred  critical  cyber  capabilities  to  TSHost 
servers  in  the  United  States,  including  the  Web  sites  of  Georgia’s  President 
and  the  Ministry  of  Defense.53  In  a  startling  admission,  the  TSHost  chief 
executive  officer  (CEO)  stated  that  the  company  had  volunteered  its  servers 
to  “protect”  the  nation  of  Georgia’s  Internet  sites  from  malicious  traffic.54 
TSHost  further  revealed  that  after  it  relocated  Georgian  Web  sites  to  the 
United  States,  DDoS  attacks  ensued  against  the  company’s  servers.55  The 
TSHost  CEO  confirmed  the  company  reported  the  attacks  to  the  FBI,  but  at  no 
point  did  he  claim  to  have  obtained  government  sanction  for  his  activities.56 

An  important  aspect  of  the  Georgia-Russia  conflict  is  not  widely 
known:  An  American  company,  with  no  clear  authority  and  no  apparent 
US  government  approval,  directly  contacted  the  Georgian  government  and 
arranged  to  protect  its  Internet  assets  by  moving  them  to  US  territory.  While 
Georgia’s  combat  troops  retreated  to  Tbilisi  to  defend  the  capital,  the  nation’s 
cyber  forces  retreated  to  the  United  States  to  defend  their  capabilities. 
Undeterred,  cyber  attackers  followed  and  turned  their  DDoS  attacks  against 
the  US  site.  As  a  result  of  TSHost’s  actions,  the  United  States  effectively 
experienced  cyber  collateral  damage. 

The  Georgian  government  also  sought  additional  protection  within 
the  United  States  by  transferring  its  Ministry  of  Foreign  Affairs  media 
releases  and  government  news  sites  to  Google’s  Blogspot.57  Google  became 
an  additional  cyber  refugee  camp  for  Georgia.  There  were  also  accusations, 
later  refuted,  that  Google,  out  of  sympathy  to  Georgia,  removed  details  of 
Georgian  maps  from  Google’s  online  mapping  service.58 

Implications 

Using  the  2008  Georgian  cyber  event  as  a  case  study,  the  authors 
seek  to  illuminate  two  issues  regarding  cyber  neutrality.  The  first  question 
is  how  did  the  combined  actions  of  the  Georgian  government  and  private 
US  companies  impact  America’s  cyber  neutrality?  Analysis  of  Georgia’s 
reaction  to  the  cyber  attacks  provides  some  insight. 

The  core  feature  of  Georgia’s  creative  cyber  strategy  was  the  belief 
that  cyber  attackers  lacked  the  capability  to  defeat  TSHost  or  Google’s 
Internet  security  measures.  During  the  conflict,  an  astute  analyst  noted 
that  “Georgia  has  turned  to  using  the  Google  Blogger  service  as  a  method 
of  communication  .  .  .  and  it  has  proved  to  be  a  sustainable  resource. 
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Governments  will  need  to  have  strategies  in  place  to  prepare  for  this  type  of 
attack.”59  When  Estonia  experienced  cyber  attack,  it  essentially  defended  in 
place;  Georgia,  on  the  other  hand,  maneuvered.  Georgia  relocated  strategic 
IP-based  cyber  capabilities  to  America,  thereby  ensuring  continued  wartime 
communication  with  Georgian  citizens  and  military  forces.  The  Georgian 
government  partially  defeated  the  cyber  attack  by  flowing  a  portion  of  its 
strategic  C2  through  the  United  States. 

Arguably,  cyber  planners  might  hail  Georgia’s  “cyber  left  hook” 
maneuver  as  a  new  precedent  in  strategic  cyber  operations.  On  the  other 
hand,  US  policymakers  have  reason  to  be  concerned.  While  Georgia’s  cyber 
tactics  may  have  appeal  operationally,  the  combined  actions  of  the  Georgian 
government  and  private  US  companies  potentially  imperiled  US  cyber 
neutrality.  There  is  no  evidence  to  suggest  that  the  Georgian  government 
coordinated  its  cyber  strategy  with  the  US  administration.  Although  the  US 
government  was  apparently  not  directly  involved,  the  actions  of  Georgia, 
TSHost,  and  Google  nevertheless  gave  the  appearance  of  US  political 
sanction.  For  example,  one  Internet  media  source  reported  that  Georgia 
had  found  “allies”  in  reference  to  Georgia’s  use  of  international  and  US  IT 
facilities  during  the  conflict.60  Before  seeking  cyber  refuge  in  the  United 
States,  the  Georgian  government  would  have  been  well-served  to  inform 
the  US  Embassy  in  Tbilisi  and  afford  the  US  government  the  opportunity  to 
review  the  matter  and  consider  its  implications. 

The  second  question  is  can  the  United  States  maintain  cyber 
neutrality  during  cyber  conflict?  Unsettled  legal  protocol,  compounded  by 
the  lack  of  prior  precedents,  impairs  the  ability  to  provide  concrete  answers. 
Analysis  utilizing  the  neutrality  elements  of  the  Hague  (V)  Conventions, 
however,  can  provide  additional  insight. 

Hague  (V)  Article  3  forbids  belligerents  from  erecting  on  the  territory 
of  a  neutral  power  a  “wireless  telegraphy  station  or  other  apparatus”  for  the 
purpose  of  communicating  with  belligerent  forces.  Georgia  did  not  relocate 
its  Internet  capabilities  to  nebulous  cyber  “space;”  rather,  it  moved  them  to 
equipment  physically  located  in  US  territory.  One  possible  argument  is  that 
the  Georgian  government,  as  a  cyber  belligerent,  violated  Hague  (V)  when 
it  used  Web  sites  in  the  United  States  as  “other  apparatus”  to  communicate 
with  its  military  forces.  By  allowing  these  actions  to  continue  after  the 
media  revealed  Georgia’s  cyber  transfer,  the  US  government  potentially 
jeopardized  its  cyber  neutrality.  Conversely,  it  is  possible  to  argue  that 


68 


Parameters 


private  US  IT  firms  simply  engaged  in  routine  commerce  while  assisting  a 
foreign  government  to  overcome  the  effects  of  a  criminal  act. 

Article  4  of  Hague  (V)  establishes  that  “corps  of  combatants” 
cannot  be  formed  on  the  territory  of  a  neutral  power  to  assist  belligerents. 
“Cyber  corps”  and  “cyber  warriors”  are  terms  often  used  in  reference  to  US 
government  personnel  who  conduct  cyber  operations.61  Given  that  private 
industry  operates  the  majority  of  the  Internet,  there  is  concern  as  to  whether 
the  category  of  “combatant”  could  also  be  extended  to  civilian  IT  technicians 
duringcyberconflict.62Speakingaboutthesuccessofhiscompany  in  defending 
Georgia’s  Web  site,  the  TSHost  CEO  stated,  “Literally,  our  people  aren’t 
getting  any  sleep.”63  The  actions  of  TSHost  and  Google  might  be  interpreted 
as  a  violation  of  Hague  (V)  in  that  they  formed  a  quasi-corps  of  “cyber 
combatants”  on  US  territory  to  assist  Georgia,  a  presumed  cyber  belligerent. 

According  to  Hague  (V)  Article  6,  a  neutral  power  is  not  held 
responsible  when  a  person  “crosses  the  frontier  separately”  to  offer  services 
to  a  belligerent.  It  may  be  argued  that  TSHost  and  Google  “crossed  the  cyber 
frontier”  without  US  government  cognizance  when  they  offered  services  to 
Georgia.  Under  this  interpretation,  the  US  government  would  be  seen  as 
innocent,  and  therefore  American  neutrality  remained  intact. 

Hague  (V)  Article  7  holds  that  a  neutral  power  is  not  required  to 
“prevent  the  export  or  transport”  of  arms  or  munitions  to  belligerents.  One 
may  advance  the  case  that  Article  7  pennits  the  export  or  provision  of  cyber 
services  to  belligerents.  If  that  instance  is  true,  TSHost  and  Google  legally 
exported  or  transported  Internet  capabilities  to  Georgia  without  jeopardizing 
US  cyber  neutrality. 

Hague  (V)  articles  8  and  9  establish  that  a  neutral  nation  is  “not 
required  to  restrict”  a  belligerent’s  use  of  a  neutral’s  telecommunications 
systems  if  these  services  are  provided  impartially  to  all  nations.  The  US 
government  possibly  may  claim  that  it  impartially  allowed  use  of  US  cyber 
systems:  in  July  2008,  to  Russian-supported  cyber  attackers;  and  in  August 
2008,  to  the  Georgian  government.  In  doing  so,  however,  the  United  States 
may  have  unknowingly  established  an  undesired  precedent.  Conceivably, 
future  cyber  belligerents,  taking  note  of  US  action  in  the  Georgian  case, 
might  demand  similar  use  of  the  US  Internet  infrastructure  under  the  Hague 
(V)  impartiality  clause.  The  potential  implications  are  disturbing. 

Based  on  this  analysis,  it  is  clear  that  the  United  States  can  maintain 
cyber  neutrality  during  cyber  conflict,  but  it  needs  to  be  proactive  in  doing 
so.  Ultimately,  the  single  greatest  peril  to  US  cyber  neutrality  during  the 
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Russian-Georgian  conflict  was  the  lack  of  US  government  assertiveness 
in  establishing  its  official  stance  on  cyber  usage.  During  the  conventional 
conflict,  the  United  States  proactively  signaled  its  position  by  airlifting 
2,000  Georgian  troops  from  Iraq  and  delivering  humanitarian  aid  to 
Georgian  ports.64  In  addition,  the  US  government-funded  Voice  of  America 
(VOA)  doubled  its  Georgian-language  broadcasts  to  ensure  that  Georgians 
were  “fully  infonned  about  what’s  happening  in  their  country.”65  The  US 
government  might  have  linked  the  notion  of  “humanitarian  cyber  support” 
to  its  overall  humanitarian  aid  effort.  Doing  so  would  have  signaled  that  US 
Internet  support  to  Georgia,  similar  to  V O  A  broadcasts,  was  for  humanitarian 
purposes,  and  therefore  not  in  violation  of  any  Hague  Conventions. 

It  is  clear  that  the  Georgian  and  Russian  governments  were  conven¬ 
tional  belligerents  in  the  Ossetian  theater  of  conflict.  It  is  unclear,  however, 
if  they  were  cyber  belligerents.  When  bombs  and  bullets  fly,  identification 
of  warring  parties  is  relatively  easy;  but  not  so  for  cyber  activities.  Both 
governments  claim  they  did  not  participate  in  the  DDoS  attacks.  Expert 
analysis  substantiates,  to  a  degree,  these  claims.  The  DDoS  attacks  possibly 
were  cyber  conflict  by  proxy,  not  through  nations.  Instead,  the  proxy 
operators  were  cyber  criminals,  cyber  citizen-mobs,  and  self-styled  cyber 
militia.  This  distinction  leads  to  uncertainty  as  to  which  parties  were  cyber 
belligerents. 

Existing  international  laws  of  war  are  generally  based  on  the 
notion  of  “borders”  in  that  these  laws  primarily  govern  conflicts  between 
nation-states  with  recognized  geographic  boundaries.  This  construct  is 
fundamentally  weak  in  addressing  borderless,  nonstate  actor  participation 
in  cyber  conflict  where  individuals  organize  their  own  cyber  campaigns.  In 
his  book  Here  Comes  Everybody,  Clay  Shirky  notes  that  “ridiculously  easy 
group  formation”  is  a  defining  characteristic  of  the  contemporary  Internet.66 
Cyber  conflict  between  nations  is  a  serious  concern,  but  as  the  Georgian 
DDoS  attacks  demonstrate,  perhaps  of  even  greater  concern  is  the  growing 
trend  of  cyber  conflict  between  nations  and  ad  hoc  assemblages. 

Until  the  Georgian  case,  the  2007  Estonian  cyber  event  was  the 
quintessential  example  of  this  nation  versus  group  phenomenon.  Originally 
labeled  as  cyberwar,  this  assessment  changed  in  thepost-conflictretrospective 
analysis.  The  international  community  now  appears  to  have  concluded  that 
unattributable,  nonstate  actor  DDoS  attacks  are  not  cyber  war.  At  best, 
according  to  Estonian  officials,  they  are  terrorism,  which  is  a  crime.67  The 
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DDoS  attacks  against  Georgia  and  Estonia  were  strikingly  similar.  Given  the 
ultimate  characterization  of  the  Estonian  case  as  cyber  crime  or  cyber  terror, 
this  similarity  places  in  serious  doubt  whether  a  legally  recognizable  state  of 
cyber  war  existed  between  the  governments  of  Georgia  and  Russia.  A  legal 
task  team  from  the  NATO-accredited  Cooperative  Cyber  Defense  Center  of 
Excellence  in  Tallinn,  Estonia,  drew  a  similar  conclusion  in  stating  that  “it 
is  highly  problematic  to  apply  the  Law  of  Anned  Conflict  to  the  Georgian 
cyber  attacks — the  objective  facts  of  the  case  are  too  vague  to  meet  the 
necessary  criteria  of  both  state  involvement  and  gravity  of  effect.”68 

As  Ethan  Zuckerman,  of  Harvard  University’s  Berkman  Center 
for  Internet  and  Society,  notes:  “It’s  unclear  whether  ‘cyberwar’  is  even 
an  appropriate  term  for  what’s  taken  place  ...  in  Georgia.  It’s  worth 
remembering  that  in  this  ‘cyberwar,’  the  most  serious  consequence  is  that  a 
Web  site  becomes  temporarily  inaccessible.”69  If  a  state  of  cyber  war  does 
not  exist,  then  cyber  neutrality  is  clearly  established.  This  interpretation 
certainly  raises  questions  as  to  whether  the  United  States  was  even  in  a  state 
of  cyber  neutrality  during  the  Russian-Georgian  conflict.  The  Georgian  case 
now  stands  as  an  example  of  the  untidy  nature  of  cyber  conflict.  Clearly,  the 
Estonian  and  Georgian  cyber  events  have  established  new  precedents  and 
subtexts  for  cyber  war  and  neutrality. 

Conclusion 

The  cyber  conflict  associated  with  the  Georgian-Russian  crisis  is  a 
likely  indicator  of  future  cyber  scenarios  and  will  undoubtedly  impact  the 
United  States,  either  directly  or  indirectly.  Conventional  wisdom  suggests 
that  existing  law  extends  by  analogy  to  encompass  cyber  conflict.  As  the 
Georgian  case  shows,  however,  current  international  law  is  ambiguous  and 
ill-suited  to  define  contemporary  cyber  rules  of  engagement.  In  future  cyber 
conflict,  it  might  serve  the  US  government  well  to  clearly  demarcate  its 
“cyber  relationship”  vis-a-vis  cyber  belligerents.  In  addition,  the  US  State 
Department  should  consider  invigorating  multilateral  efforts  to  clarify  the 
terms  and  conditions  of  cyber  neutrality  in  future  cyber  protocols. 

The  COE  Convention  and  current  US  law  view  the  July  2008  DDoS 
attack  against  Georgia  as  cyber  crime.70  Under  these  rules,  the  United  States 
had  the  option  of  partnering  with  Georgia  in  apprehending  and  prosecuting 
the  offenders.  Nearly  identical  DDoS  attacks  against  Georgia  occurred  three 
weeks  later,  in  August.  By  that  time  Georgia  and  Russia  were  recognized 
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belligerents  in  a  conventional  shooting  war.  As  a  result,  many  governments 
throughout  the  international  community  viewed  the  second  DDoS  attacks 
as  cyber  war,  potentially  subject  to  the  Hague  (V)  Conventions.  By  that 
definition,  the  US  relationship  with  Georgia  apparently  switched  from 
cyber  partner  to  cyber  neutral,  compelling  the  United  States  to  avoid  direct 
material  assistance  to  Georgia.  This  complex  scenario  is  fraught  with  legal 
and  operational  intricacies,  and  highlights  the  compelling  need  for  strategists 
to  have  a  clear  grasp  of  cyber  neutrality  concepts. 

Under  the  Law  of  Anned  Conflict,  civilians  and  civilian  property 
that  make  a  “direct  contribution”  to  a  war  effort  may  be  subject  to  attack.71 
When  TSHost  and  Google  provided  cyber  defense  to  Georgia,  adversaries 
potentially  may  have  concluded  that  those  companies  were  proxies  acting 
on  behalf  of  the  US  government.  Even  if  the  US  government  did  not 
officially  sanction  TSHost  and  Google’s  actions,  their  activities  nonetheless 
might  have  been  construed  as  contributing  to  Georgia’s  war  effort,  possibly 
exposing  the  US  Internet  infrastructure  and  assets  of  computer-server  firms 
to  cyber  attack.  In  light  of  this  risk,  US  policymakers  should  consider  the 
wisdom  of  continuing  a  cyber  strategy  that  appears  to  rely  heavily  on  the 
loosely  controlled  actions  of  private  industry. 

US  government  actions,  or  lack  thereof,  during  the  Georgian  cyber 
crisis  have  the  potential  of  creating  false  impressions  regarding  official 
cyber  policy.  Other  countries  might  see  the  Georgian  event  as  a  green  light 
to  seek  cyber  refuge  in  the  United  States  during  future  cyber  conflicts. 
Following  the  Georgian  example,  a  nation  undergoing  a  cyber  attack  might 
conceivably  seek  to  relocate  all  of  its  critical  cyber  capabilities  to  the  United 
States.  Potential  adversaries  might  mistakenly  see  that  step  as  indicative 
of  a  defensive  US  cyber  umbrella  over  allies  and  friends,  and  prepare 
strategies  to  prevent  the  United  States  from  successfully  providing  cyber 
sanctuary.  Fortunately,  rather  than  seeking  cyber  refuge  on  US  government- 
controlled  “.gov”  or  “.mil”  domains,  Georgia  relocated  its  Internet  assets  to 
private  “.com”  sites.  This  decision  served  as  an  indicator — albeit  weak — to 
the  international  community  that  the  Georgian  government  was  not  seeking 
direct  protection  from  the  US  government.  Still,  these  sites  were  located 
within  US  territory;  their  involvement  brings  Georgia’s  intent,  and  US 
cyber  neutrality,  into  question.  The  US  government  should  take  steps  to 
determine  if  it  will  allow  future  cyber  belligerents  to  make  use  of  Internet 
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assets  in  the  United  States,  and  if  so,  what  protocol  is  appropriate  to  control 
the  situation. 

Neutrality  is  an  essential  tenet  of  international  law.  When  strictly 
observed,  it  prevents  the  spread  of  conflict.  History  shows  that  neutrality  is 
inherently  fragile  during  war,  however,  and  now  even  more  so  during  cyber 
war.  Events  surrounding  the  Georgian-Russian  cyber  conflict  should  remind 
US  policymakers  of  the  serious  nature  of  cyber  neutrality  and  motivate  an 
in-depth  assessment  and  refinement  of  US  policies  and  procedures  regarding 
this  concept. 
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